Bug #91387

Relax constraints on serializing objects

Added by Oliver Hader about 2 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
Start date:
2020-05-13
Due date:
% Done:

100%

TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

With security advisory https://typo3.org/security/advisory/TYPO3-CORE-SA-2020-004 new BlockSerializationTrait has been introduced blocking serialization and deserialization for a couple of classes (see advisory for details). Since this cause a couple of side-effects for valid use-cases, the restriction on serialize() is removed - which is fine from a security point of view.

Possible use case:
Some system state has to be persisted for documentation purposes, which needs a working serialization. De-serialization is not needed in such cases.
Reported by Gernot Leitgab in https://typo3.slack.com/archives/C0K5MU94J/p1589366052028100


Related issues

Related to TYPO3 Core - Bug #91393: Cachingproblems after recent TYPO3 9.5.17 Closed 2020-05-14
Related to TYPO3 Core - Bug #88613: Replace ObjectStorage & LazyObjectStorage with symfony/collection Accepted 2019-06-21
Related to TYPO3 Core - Bug #91404: After update from 9.5.16 to 9.5.17 I get an error 'Cannot serialize' Closed 2020-05-14
Related to TYPO3 Core - Bug #91364: Extbase/CachingFramework - Serialization on 'Closure' is not allowed Needs Feedback 2020-05-12

Associated revisions

Revision 5c48857f (diff)
Added by Oliver Hader about 2 months ago

[BUGFIX] Relax constraints on serializing objects

With security advisory TYPO3-CORE-SA-2020-004 new
`BlockSerializationTrait` has been introduced blocking serialization
and deserialization for a couple of classes (see advisory for details).
Since this caused a couple of side-effects for valid use-cases, the
restriction on serialize() is removed - which is fine from a security
point of view.

Resolves: #91387
Releases: master, 9.5
Change-Id: I9a9d415deab80badc3c1517f2e0c0c3336d3d936
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64486
Tested-by: TYPO3com <>
Tested-by: Markus Klein <>
Tested-by: Georg Ringer <>
Tested-by: Oliver Bartsch <>
Tested-by: Andreas Fernandez <>
Reviewed-by: Markus Klein <>
Reviewed-by: Georg Ringer <>
Reviewed-by: Oliver Bartsch <>
Reviewed-by: Andreas Fernandez <>

Revision 8686d858 (diff)
Added by Oliver Hader about 2 months ago

[BUGFIX] Relax constraints on serializing objects

With security advisory TYPO3-CORE-SA-2020-004 new
`BlockSerializationTrait` has been introduced blocking serialization
and deserialization for a couple of classes (see advisory for details).
Since this caused a couple of side-effects for valid use-cases, the
restriction on serialize() is removed - which is fine from a security
point of view.

Resolves: #91387
Releases: master, 9.5
Change-Id: I9a9d415deab80badc3c1517f2e0c0c3336d3d936
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64370
Tested-by: TYPO3com <>
Tested-by: Andreas Fernandez <>
Reviewed-by: Andreas Fernandez <>

History

#1 Updated by Oliver Hader about 2 months ago

  • Is Regression set to Yes

#2 Updated by Gerrit Code Review about 2 months ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64486

#3 Updated by Gerrit Code Review about 2 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64486

#4 Updated by Gerrit Code Review about 2 months ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64486

#5 Updated by Markus Klein about 2 months ago

  • Description updated (diff)

#6 Updated by Benjamin Franzke about 2 months ago

  • Description updated (diff)

#7 Updated by Gerrit Code Review about 2 months ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64370

#8 Updated by Oliver Hader about 2 months ago

  • Related to Bug #91393: Cachingproblems after recent TYPO3 9.5.17 added

#9 Updated by Oliver Hader about 2 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#10 Updated by Oliver Hader about 2 months ago

  • Target version set to 9.5.18 & 10.4.3

#11 Updated by Oliver Hader about 2 months ago

  • Related to Bug #88613: Replace ObjectStorage & LazyObjectStorage with symfony/collection added

#12 Updated by Oliver Hader about 2 months ago

  • Related to Bug #91404: After update from 9.5.16 to 9.5.17 I get an error 'Cannot serialize' added

#13 Updated by Oliver Hader about 2 months ago

  • Related to Bug #91364: Extbase/CachingFramework - Serialization on 'Closure' is not allowed added

#14 Updated by Benni Mack about 2 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF